Worms wiggle into IM

Like airborne viruses, instant messaging worms are fledglings, but very much on the rise. These new worms are also proving that once inside a corporate network they can be just as destructive, if not more so, than traditional e-mail attacks.

E-mail remains the most widely used and destructive vehicle for spreading viruses and worms over the Internet, but the first three months of 2005 saw a rise in the number of worms using IM to propagate.

Anti-virus company Trend Micro recently released its first quarter 2005 virus roundup, in which half of the reported outbreaks were IM worms. Since emerging as a proof of concept in 2001, IM worms have taken a back seat to e-mail worms. But the sharp increase in IM-based outbreaks this year signals a revival of the IM vehicle, according to Trend Micro officials.

IM worms are on the rise primarily because of the publishing of the source code for existing attacks, said David Perry, global education director at Trend Micro.

"There have been a couple successful [IM worms] and the source code was made available," Perry said. "Most viruses are minor variations on existing viruses."

IM management and security vendor Akonix Systems noted an alarming 400 percent rise in IM attacks in its Q1 IM and peer-to-peer threat summary.

Akonix's numbers showed more than double the total number of targeted attacks on IM and p-to-p networks in the first quarter of 2005 than in all of 2004, according to Francis Costello, chief marketing officer at Akonix.

"We've seen published threat methods, which lets other virus writers jump in," Costello said.

Just this week virus alerts were issued for the latest variants of the Kelvir worm -- W32.Kelvir.U, W32.Kelvir.T, and W32.Kelvir.N  -- which targets Microsoft's MSN Messenger and Windows Messenger. The Kelvir worm sends a URL via IM; once a user clicks on the URL, a worm is downloaded that sends itself to the now-infected user's contact list.

Although most IM worms target consumer systems such as MSN Messenger, Yahoo Messenger, and AOL's AIM, corporations still should be concerned.

According to IM security tool vendor IMlogic, nearly 85 percent of enterprises use public IM systems, and most do not have any additional security in place.

In fact, most enterprises are severely unprepared for IM-based malware attacks, according to Michael Osterman, president of Osterman Research.

The various types of IM attacks are not a critical problem yet for enterprises, but are rapidly becoming one, Osterman said.

"Within a matter of months this could become a huge problem that could do a lot of damage," Osterman said. "It would take very little to get totally out of control."

IM by its nature is a little more secure than e-mail, Osterman said. IM requires a user to grant permission to incoming contacts and is not as widely used as e-mail for file transport, through which many malicious payloads are sent.

Once inside a company, however, IM worms can wreak havoc because they bypass existing security defenses in place for e-mail, Osterman said.